Hi all,
Can someone please provide more information as to how you get JBrowse to require a login cookie. The docs linked don’t give any information: I just need to know:
![]() If someone can point me in the correct direction I’m happy to update documentation with a proven example. Thanks, Keiran Raine Principal Bioinformatician Cancer Genome Project Wellcome Trust Sanger Institute Tel:+44 (0)1223 834244 Ext: 7703 Office: H104
-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Gmod-ajax mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/gmod-ajax |
Hi Keiran,
I'm not sure if someone more experienced replied to you yet. But for what it's worth, this is what I did with CAS. It looked like everything that JBrowse does is within index.php . (Someone correct me if I'm wrong.) So, if I put an <?php if (authenticated) { // All this from index.php ?> <div id="GenomeBrowser" style="height: 100%; width: 100%; padding: 0; border: 0;"></div> <div style="display: none">JBrowseDefaultMainPage</div> <?php } else { // Show some error message and redirect to a CAS login page } ?> The "authenticated" part is where I call a CAS-based function that returns a Boolean variable. I presume you can replace that with something that queries an SQL database and/or a cookie. (Many web pages describe how to do this better than I can.) I mentioned before that I didn't know if this was fool-proof. I don't know if someone can bypass this page to see the data. It's on my to-do list... On Wed, Jun 8, 2016 at 9:31 PM, Keiran Raine <[hidden email]> wrote: > Can someone please provide more information as to how you get JBrowse to require a login cookie. The docs linked don’t give any information: > > http://gmod.org/wiki/JBrowse_Configuration_Guide#Authentication_and_Access_Control > > I just need to know: > > How do I tell JBrowse that it should be checking for a login (I assume there’s a config value to be set) > What value needs to be set in the cookie (I can see the cookie and that it has picked up my manually configured ‘documentDomain’) What I said above wasn't quite what you were looking for. If there is something built-in that can be turned on by setting a value in jbrowse.conf (for example), that would be cool. HTTP Basic authentication might be better since you can request a password for every file within a directory. I chose CAS instead because I didn't want to manage user accounts... Ray ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Gmod-ajax mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/gmod-ajax |
Hi Raymond,
Thank you for getting back to me, unfortunately no-one else has commented. With your initial pointer I'm taking a look at phpCAS and will get back to the list once I have a more detailed example. Just waiting for confirmation of our CAS server details so I can start testing... Regards,
Keiran Raine Principal Bioinformatician Cancer Genome Project Wellcome Trust Sanger Institute Tel:+44 (0)1223 834244 Ext: 7703 Office: H104
-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Gmod-ajax mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/gmod-ajax |
Hi Keiran,
On Mon, Jun 13, 2016 at 9:09 PM, Keiran Raine <[hidden email]> wrote: > With your initial pointer I'm taking a look at phpCAS and will get back to > the list once I have a more detailed example. > > https://github.com/Jasig/phpCAS/ > > Just waiting for confirmation of our CAS server details so I can start > testing... If you are using CAS, then I can do a bit better and fill in the blanks for you. I wasn't purposely withholding information -- after all, I worked out what I had to do from the phpCAS examples. But, I figured if you weren't using CAS, then I shouldn't bore you with the details. Of course, the standard disclaimer applies -- I didn't really know what I was doing, so if you (or anyone else here) sees an obvious bug, please let me / us know. Our data isn't [at the moment] highly secretive, so I can be a little slack for now. Indeed, my starting point was this: https://wiki.jasig.org/display/CASC/phpCAS . Alternatives using Apache's mod_auth_cas, Java, and Perl's AuthCAS module were also suggested by our administrators. In short, this is index.php, which was a modification of JBrowse's index.html. XXX-about.php gives information about our JBrowse instance. config.php is the same as the phpCAS example and CAS.php is from the phpCAS library. You'll need to plug in values into config.php . ----- <?php // Load the settings from the central config file require_once 'config.php'; // Load the CAS lib require_once $phpcas_path . '/CAS.php'; // Enable debugging // phpCAS::setDebug(); // Initialize phpCAS phpCAS::client (CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); // For production use set the CA certificate that is the issuer of the cert // on the CAS server and uncomment the line below phpCAS::setCasServerCACert ($cas_server_ca_cert_path); // For quick testing you can disable SSL validation of the CAS server. // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION. // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! // phpCAS::setNoCasServerValidation(); if (isset($_REQUEST['logout'])) { phpCAS::logout(); } if (isset($_REQUEST['login'])) { // handle incoming logout requests phpCAS::handleLogoutRequests (true); phpCAS::forceAuthentication (); } // check CAS authentication $auth = phpCAS::checkAuthentication(); ?> <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>JBrowse</title> <link rel="stylesheet" type="text/css" href="css/genome.css"> <script type="text/javascript"> ...SAME AS BEFORE... </script> <script type="text/javascript" src="src/dojo/dojo.js"></script> <script type="text/javascript" src="src/JBrowse/init.js"></script> <script type="text/javascript"> ...SAME AS BEFORE... </script> <title>XXX</title> </head> <body> <?php if ($auth) { ?> <div id="GenomeBrowser" style="height: 100%; width: 100%; padding: 0; border: 0;"></div> <div style="display: none">JBrowseDefaultMainPage</div> <p><a href="XXX-about.php" target="_blank">About this genome browser</a></p> <p>Currently logged in as: <strong><?php echo phpCAS::getUser(); ?>@XXX</strong>.</p> <p><a href="https://XXX.authsite.XXX/cas/logout?url=http://XXX.mysite.XXX/jbrowse/">Logout</a> (Closing the browser is also required.)</p> <?php } else { ?> <h1>XXX</h1> <h2>Authentication Required</h2> <p>Access to the system requires you to authenticate yourself with the our Central Authentication Service:</p> <p><a href="?login=">Login</a></p> <p>You can logout using the link at the <strong>bottom</strong> of the genome browser, followed by closing your web browser.</p> <?php } ?> </body> </html> ----- Perhaps it's somewhat obvious, but I started off with a "Hello World" that demonstrated authentication was working. After that, it was a matter of just combining that with JBrowse's index.html . I hope this helps! Ray ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Gmod-ajax mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/gmod-ajax |
Hi Raymond,
I've been having a poke/thing on this while waiting for our systems team to get back to me. I don't think you are securing the underlying data in this way, just preventing users from accessing the web front end. Without modifications to the server configuration it doesn't know if it should be serving the underlying data. The web-server backing your JBrowse instance basically serves files (or chunks of files) to the requestor. In a default nginx setup you can't list the content of a directory, but you can determine if it exists, e.g. Area that doesn't exist: your.jbrowse/JBrowse/wibble = 404 Not Found but a real location will give: your.jbrowse/JBrowse/sample_data/json/modencode/ = 403 Forbidden If someone really wanted to be malicious knowing that all datasets contain a trackList.json you can pull that file and use it to identify the paths to all your underlying datafiles: curl -sSL http://your.jbrowse/JBrowse/sample_data/json/modencode/trackList.json | grep -P '(urlTemplate|type)' | head -n 4 "urlTemplate" : "seq/{refseq}/", "type" : "SequenceTrack", "urlTemplate" : "tracks/volvox_microarray.wig/{refseq}/trackData.json", "type" : "ImageTrack.Wiggle", Obviously this is more concerning when looking config files containing VCF/BAM data but this gives the idea. The impact of this depends on if the server is accessible publicly and how sensitive the underlying data is. I've had a look at a few nginx implementations that show the changes required on the server side to secure all routes: I'll be trying out the LDAP route hopefully in the next few weeks, Regards, Keiran Raine Principal Bioinformatician Cancer Genome Project Wellcome Trust Sanger Institute Tel:+44 (0)1223 834244 Ext: 7703 Office: H104
-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Gmod-ajax mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/gmod-ajax |
Hi Keiran,
On Tue, Jun 14, 2016 at 4:38 PM, Keiran Raine <[hidden email]> wrote: > I've been having a poke/thing on this while waiting for our systems team to > get back to me. > > I don't think you are securing the underlying data in this way, just > preventing users from accessing the web front end. Without modifications to > the server configuration it doesn't know if it should be serving the > underlying data. Yes, I don't think CAS or any authentication system using cookies can protect the underlying data. I think you would have to add something like this to the server configuration (using Apache 2.4 syntax): <Directory "/var/www/html/jbrowse/"> ## Allow access to everyone Require all granted # Disable access if the request is a set of files <FilesMatch "(\.json|\.txt|\.jsonz|\.txtz|\.bam|\.bai\.htaccess)$"> Require all denied </FilesMatch> </Directory> [NB: Untested code above as I haven't installed it on our system yet.] > Obviously this is more concerning when looking config files containing > VCF/BAM data but this gives the idea. The impact of this depends on if the > server is accessible publicly and how sensitive the underlying data is. > > I've had a look at a few nginx implementations that show the changes > required on the server side to secure all routes: So, I should clarify what I said earlier of what I didn't test. I have played with some content management systems like Joomla and WordPress and even though both have login screens, you still need to modify the web server's configuration files (i.e., *.conf) to make it secure. Nevermind leaking data...within days or weeks, your site could probably get hacked. What I hadn't tested was whether the CAS code in the previous e-mail + the server code above can "secure" the system without losing any functionality. I *think* it might work because index.php will compile on the server side and incorporate all of the data before sending to the user. i.e., the user's web browser never really needs to directly request a .json file or a .txt file. But.....I haven't tested this yet since I didn't install the above Apache code yet. (The system I'm running this on is already blocking all external IP addresses already. I suppose the login requirement is actually unnecessary.) > CAS: https://github.com/racx/cas-auth-lua-nginx > LDAP: https://github.com/kvspb/nginx-auth-ldap Thanks! I will look at them later. But I did notice the CAS link has this in the README: "This is a POC project of a Lua module to authenticate CAS users on NGINX before reaching the application." I'm not sure if this is something I need. Our institute's IT department has already set up CAS for the entire university to use. In our case, if a user visits our JBrowse site and is not yet authenticated, the code I sent to you would kick them off to the IT department's authentication system. They authenticate them and then boots them back to us. Each time index.php is loaded, we're checking if the cookie with that centralized system is still valid (i.e., it might have expired). So, user creation and user authentication is deferred to this centralized system. All I'm doing is checking if the cookie is valid. It's possible that what I'm doing is further "downstream" from what you're doing if the CAS authentication isn't being handled by another system already... Ray PS: Disclaimer...my understanding of how CAS works; hope it's correct! ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Gmod-ajax mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/gmod-ajax |
Free forum by Nabble | Edit this page |